diff options
author | Lasse Collin <lasse.collin@tukaani.org> | 2023-10-09 22:07:52 +0300 |
---|---|---|
committer | Lasse Collin <lasse.collin@tukaani.org> | 2023-10-22 19:03:52 +0300 |
commit | 8276c7f41c671eee4aa3239490658b23dcfd3021 (patch) | |
tree | 0ea5a10ee423725d55b888281678784da2bb5aac /configure.ac | |
parent | CMake: Edit threading related messages. (diff) | |
download | xz-8276c7f41c671eee4aa3239490658b23dcfd3021.tar.xz |
xz: Support basic sandboxing with Linux Landlock (ABI versions 1-3).
It is enabled only when decompressing one file to stdout,
similar to how Capsicum is used.
Landlock was added in Linux 5.13.
Diffstat (limited to '')
-rw-r--r-- | configure.ac | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index 9d35071a..00a9e3c0 100644 --- a/configure.ac +++ b/configure.ac @@ -519,7 +519,7 @@ AM_CONDITIONAL([COND_DOC], [test x$enable_doc != xno]) AC_MSG_CHECKING([if sandboxing should be used]) AC_ARG_ENABLE([sandbox], [AS_HELP_STRING([--enable-sandbox=METHOD], [Sandboxing METHOD can be - 'auto', 'no', 'capsicum', or 'pledge'. + 'auto', 'no', 'capsicum', 'pledge', or 'landlock'. The default is 'auto' which enables sandboxing if a supported sandboxing method is found.])], [], [enable_sandbox=auto]) @@ -527,12 +527,12 @@ case $enable_sandbox in auto) AC_MSG_RESULT([maybe (autodetect)]) ;; - no | capsicum | pledge) + no | capsicum | pledge | landlock) AC_MSG_RESULT([$enable_sandbox]) ;; *) AC_MSG_RESULT([]) - AC_MSG_ERROR([--enable-sandbox only accepts 'auto', 'no', 'capsicum', or 'pledge'.]) + AC_MSG_ERROR([--enable-sandbox only accepts 'auto', 'no', 'capsicum', 'pledge', or 'landlock'.]) ;; esac @@ -1059,6 +1059,11 @@ AS_CASE([$enable_sandbox], AC_CHECK_FUNCS([pledge], [enable_sandbox=found]) ] ) +AS_CASE([$enable_sandbox], + [auto | landlock], [ + AC_CHECK_HEADERS([linux/landlock.h], [enable_sandbox=found]) + ] +) # If a specific sandboxing method was explicitly requested and it wasn't # found, give an error. |